1158622 – SELinux denial when mounting glusterfs nfs volume when using base-port option

Bug 1158622 - SELinux denial when mounting glusterfs nfs volume when using base-port option

Summary: SELinux denial when mounting glusterfs nfs volume when using base-port option

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	GlusterFS
Classification:	Community
Component:	nfs
Sub Component:
Version:	3.5.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Niels de Vos
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-10-29 18:03 UTC by Jason Brooks
Modified:	2014-11-15 22:25 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-11-15 22:25:42 UTC
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jason Brooks 2014-10-29 18:03:59 UTC

Description of problem:

I'm using gluster to provide storage for ovirt, and running ovirt and gluster on the same machine. Due to a port conflict between gluster and libvirt live migration, I use the base-port option described at https://bugzilla.redhat.com/show_bug.cgi?id=987555, and switch the base port from 49152 to 50152.

However, when attempting to mount a gluster volume via nfs on the same machine hosting the volume, I get an selinux denial, and the mount fails w/ file not found. If I leave the base-port option commented out, the mount proceeds as expected.

Putting selinux into permissive, or setting "setsebool -P nis_enabled 1" allows mount to proceed.

from the audit.log:

type=AVC msg=audit(1414599671.391:578): avc:  denied  { name_connect } for  pid=3717 comm="glusterfs" dest=50153 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket

Version-Release number of selected component (if applicable):

glusterfs 3.5.2-1.el7 on CentOS 7

Comment 1 Niels de Vos 2014-11-04 12:25:44 UTC

I highly recommend to not mount a Gluster volume over NFS on a Gluster Server. You can only use NFS on a Gluster Server if you disable the locking. This obviously is quite risky as it can cause data corruption.

If this really is what you want to do, we can figure out which ports the selinux-policy allows for the Gluster processes. But, I doubt that the standard policy should get adjusted to allow any port that can be set by using the base-port option. This likely is something for which you need to modify/extend the policy locally. (I'm not sure why "setsebool -P nis_enabled 1" would make a difference.)

Please let me know how you want to continue with this, and what your expectations are. Thanks!

Comment 2 Jason Brooks 2014-11-13 18:32:11 UTC

This is no longer an issue for me, as the oVirt project appears to have worked around the gluster port / migration port conflict, so I don't need to make this base port change.

For posterity, setting Lock=False in /etc/nfsmount.conf, as we discussed over irc, allows gluster's nfs server to start reliably even while mounting the gluster volume over nfs on the gluster server.

Comment 3 Niels de Vos 2014-11-15 22:25:42 UTC

Thanks for the update, closing as WORKSFORYOU.

Note You need to log in before you can comment on or make changes to this bug.